Signatures
Last updated
Last updated
Nocturne uses a variant of Schnorr signatures over Baby Jubjub. The secret key is derived from the spending key , and the public key is the spending public key .
Spelled out, signing takes as input a message hash and proceeds as follows:
(derive the signing secret key from the spending key)
(extract 32 bytes of entropy from the spending key)
(sample another 32 random bytes)
("reduce" hash output into , using extra entropy from addition to the rng)
(the rest is a "standard" Schnorr signature)
The signature is the pair
To verify, we take as input the message and signature and do the following (this is the standard verification procedure):
Accept the signature if . Reject it otherwise.
The signature scheme must be strongly unforgeable under chosen-message-attack (SUF-CMA).
Schnorr signature schemes are known to be secure under the discrete log assumption and the random-oracle model. In our case, it's secure based on the following assumptions:
Poseidon is a random oracle
The discrete log problem is infeasible in Baby Jubjub